Solved: How to count stats by grouping substring from an U...

prakashpnvs · ‎09-18-2019

Here is my search:
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/*

and I have the following logs in my search:
/PL/data/2.0/space/appA/29323820jdd3723.txt
/PL/data/2.0/space/appA/search/373367672djbd
/PL/data/2.0/space/appB/abcdefsfjdf.pdf
/PL/data/2.0/space/appB/get/9668568696
/PL/data/2.0/space/appC/search/9650865686rt
/PL/data/2.0/space/appD/6384387498374.jpg

Now, I want the stats count results like below:
appA 2
appB 2
appC 1
appD 1

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

View solution in original post

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

prakashpnvs · ‎09-18-2019

Executed this in Splunk UI and got the results in Visualization tab
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | stats count by APP

also sorted it by ..... | sort - count

Thanks much!

How to count stats by grouping substring from an URI

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes